4.4.1
COMPUTER FIRMWARE PASSWORDS
Almost all computer systems with Basic Input Output System (BIOS) firmware come with the ability to password protect it. On many systems, a variety of BIOS passwords can be set. Each type of password provides different protections. For example, BIOS configuration protection passwords are intended to prevent unauthorized changes to the BIOS configuration, such as altering the boot order so that the computer can be booted from removable media. Another example is BIOS boot passwords, which must be entered before the system boots so that
unauthorized users cannot boot the computer. However, most motherboard manufacturers have procedures that can be used to remove BIOS passwords and restore the system to a default configuration. In some cases, it requires shorting PINs on the motherboard or removing and replacing a chip on the motherboard, but in other cases, a much simpler procedure is available. For example, many BIOSs include backdoor passwords that will always work; others can be recovered using custom software programs or specific key sequences while the machine is booting. Because of this, BIOS passwords should be considered only a deterrent and do not provide any protection to data on the disk.
A newer technology replacing BIOS firmware is Extensible Firmware Interface (EFI). EFI passwords can be set to protect the system’s configuration. That is, EFI protects the system from
corruption or tampering. However, like BIOS passwords, EFI passwords can be circumvented
by anyone who has physical access to the system. EFI passwords should be considered a deterrent to unauthorized access but not a true form of protection.
The “gold standard” of firmware protection is defined in NIST SP 800-147, BIOS Protection
Guidelines, NIST SP 800-155, BIOS Integrity Measurement Guidelines, and has culminated in
the new open BIOS spec called Universal Extensible Firmware Interface (UEFI) 2.3.1, considered the first strongly secure boot firmware standard. It requires trusted roots, digital certificates, and digital signatures. To maximize protections against firmware attacks, make sure purchases include devices that have UEFI (2.3.1 or above) enabled.
UEFI secure boot works as the boot process executes. Each piece of code verifies that the signature on the next piece of code and, if valid, passes execution on to it. The process of
April 17, 2014 - Version 1.3 (FINAL) 87
verifying the signature involves creating a cryptographic digest of the code, then testing that against a cryptographic signature included with it.
Unfortunately, UEFI 2.3.1 or later requires different chip sets than pre-UEFI devices; if you don’t already have a UEFI 2.3.1 device, it will probably take a new purchase to get one. All Microsoft Windows 8- and 2012-certified computers will have UEFI 2.3.1 capability, and the related Windows Secure Boot technology built-in.
4.4.2
HARD DRIVE PASSWORDS
Some hard drives support the use of passwords to restrict access to a hard drive. For example, a drive might have a master password (for administrative purposes) and a user password, and it could support two security modes: high security and maximum security. In a managed IT environment, the user of a system would be given the user password, and the master password would be retained by administrative staff. In high security mode, the drive can be unlocked with either the user or master password, and the hard drive passwords can only be removed from the drive after supplying the master password. In maximum-security mode, the drive can only be unlocked with the user password, and the master password can only be used to erase the drive and remove the hard drive passwords (i.e., the drive must be erased before passwords are removed). Unlike BIOS passwords that are stored on a chip on the motherboard, hard drive passwords are stored on the hard drive itself. Even if the disk is moved to a new system, read and write operations cannot be performed on the drive until one of the passwords are entered. Although hard drive passwords do provide a higher level of security and a more effective deterrent to a casual attacker, there are tools and services available that can retrieve or reset the hard drive passwords, so they cannot be relied on to provide a high level of security. A more effective solution to protect hard drives from unauthorized access is the use of a full disk encryption solution, which encrypts all information on the hard drive and only decrypts it if the appropriate authentication is provided.
4.4.3
TRUSTED PLATFORM MODULE (TPM) PASSWORDS
A Trusted Platform Module (TPM) chip is a tamper-resistant integrated circuit built into some motherboards that can perform cryptographic operations (including key generation) and protect small amounts of sensitive information, such as passwords and cryptographic keys. Each TPM chip has an owner password, which is used to gain access to and manage the TPM chip. Although the TPM can be shut off by someone with physical access to the system, it cannot be circumvented: access to the TPM cannot be achieved without the owner password. Therefore, it is important to choose a strong password for the TPM owner password and to protect its
confidentiality. If the owner password is lost or forgotten, it can be reset by clearing the TPM, but this action also clears all data stored on the TPM. Therefore, either the owner password or the data on the TPM should be backed up to an alternate secure location, after carefully
considering and addressing the security considerations implicit in storing these types of sensitive information.
88 April 17, 2014 - Version 1.3 (FINAL)
The UEFI secure boot process is not the same as TPM. UEFI secure boot is simply an architecture for loading and verifying signed firmware images, bootloaders, kernels, and
modules. However, TPM does relate to UEFI secure boot in one important way—they can both be used to create a root of trust.
The TPM method of creating a root of trust is different from UEFI secure boot. As code
executes, it too creates a cryptographic digest of the next piece of code but instead of verifying it, it sends it to the TPM, where it's appended to a chain. At any point in the boot process, the TPM holds the current state of this chain, and using a TPM command, you can then sign the current state with a key. The process using a TPM is commonly referred to as “Trusted” boot, as opposed to UEFI “Secure” boot.
4.4.4
NETWORK INFRASTRUCTURE DEVICE PASSWORDS
The simplest method of authentication for a network infrastructure device, such as a router or switch, is local authentication. Authentication credentials are stored on the device, and when a user attempts to authenticate, the presented credentials are compared with stored passwords or password hashes. Passwords stored on network infrastructure devices are sometimes
unencrypted, so physical security controls must be applied to protect the passwords from
compromise. These devices often have a single administrative account, so if multiple users need to administer a device, a centralized authentication system should be configured for those
network devices with a separate account and password for each administrator to provide accountability.
Another common method of network device administration is Simple Network Management
Protocol (SNMP). SNMP version 1 and version 2 rely on clear text community strings, which
are used as passwords to grant access to the device. Since SNMP version 1 and version 2 send community strings across the network with no cryptographic protection, they should not be used to configure network infrastructure devices over untrusted networks. SNMP version 3 provides security feature enhancements to SNMP, including encryption and message authentication. If any version of SNMP is used for remote administration, default SNMP community strings such as “public” and “private” should be removed before real community strings are put into place. If both are present on the device at any time, an attacker could retrieve real community strings from the device using the default string.
4.4.5
GENERAL-USE OFFICE DEVICE PASSWORDS
Many general-use office devices, such as printers, scanners, and copiers, can be configured to be network accessible. Although security of these devices is not generally considered a high
priority, the specific functionality of the devices should be considered before they are installed in a network environment. For example, many modern copiers are multifunction devices that can be used as printers or scanners and contain a whole OS. By default, any documents scanned into the device are stored for retrieval on a network-accessible server. Without proper authentication in place, any user with network access to the device can retrieve all documents stored in the cache. Unless the temporary loss of availability of the device or loss of confidentiality or
April 17, 2014 - Version 1.3 (FINAL) 89
integrity of information processed on the device will have minimal impact on the organization, default passwords should not be used. In some cases, simple office devices are designed without consideration given to user management. For example, only a single administrative account is provided and a centralized authentication system cannot be used, so user credentials are shared between administrators. Since these passwords must be shared by administrators, they should be dedicated to these devices and should not be used for any other devices.